Tuesday, March 11, 2014

Micorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)

It's Microsoft Update Tuesday. While this month is relatively minor, a total of 5
bulletins, it is pretty large for the requisite Internet Explorer bulletin. There’s
a total of 23 CVEs covered by the bulletins, 18 of which are found in IE.

There’s 2 critical and 3 important bulletins this month:

MS14-012 is the first critical bulletin and is the IE
bulletin. Most of the vulnerabilities are, as usual, the result of "use-after-free" vulnerabilities. One of the vulnerabilities,
CVE-2014-0322, was known publicly
before the update and saw targeted attacks since February 14th. The temporary
workaround in security advisory 2934088 that has been available from Microsoft since February 19th is now
being replaced by a more formal fix. The vulnerability was being exploited in a
watering hole attack at vfw.org. Microsoft is also providing a fix for another
0-day use-after-free vulnerability, CVE-2014-0324, which has seen very limited
targeted attacks. The exploit targeted IE8 specifically and the update that
Microsoft issued in their December Update (MS13-106) that fixes an ASLR bypass in
HXDS.dll makes this vulnerability harder to exploit.

Next up is a critical vulnerability in DirectShow
(MS14-013), where a specially crafted JPEG results in a double free
vulnerability (CVE-2014-0301) that may result in remote code execution. While DirectShow is the
underlying application that is vulnerable, IE would be used as an attack vector
to get the victim to load the malicious JPEG.

MS14-015 is also marked important and fixes 2 CVEs in Windows
Kernel Mode Drivers. The first update is for CVE-2014-0323 and fixes
a publicly known information disclosure vulnerability that could allow an
attacker to read arbitrary addresses that would allow it to be used to bypass
ASLR. The other update fixes a vulnerability that could result in an
escalation of privileges (CVE-2014-300).

The final bulletin (MS14-016) for this month is also
considered important and is a vulnerability (CVE-2014-0317) in the Security
Account Manager Remote (SAMR) that could allow an attacker that is
brute-forcing passwords to bypass the account lockout feature. This could allow
an attacker to continue a brute-force attack by resetting the lockout.